Spam/fraudulent packages on Hackage

[ocramz]

https://hackage.haskell.org/package/my-test-docs
https://hackage.haskell.org/package/Facebook-Password-Hacker-Online-Latest-Version

(I've just sent a mail about it to libraries as well)

[NJBS]

https://hackage.haskell.org/package/Fortnite-Hack-Cheats-Free-V-Bucks-Generator-1.0.1
https://hackage.haskell.org/package/Clash-Royale-Hack-Cheats

two more malicious uploads

[gbaz]

Do we need to put hackage on lockdown for the time being? Shoot.

[gbaz]

(i disabled the account just now, but we need to prevent the spammer from making new ones)

[NJBS]

@gbaz thanks, do note however that these packages were uploaded by two accounts:
https://hackage.haskell.org/user/hejirumo
https://hackage.haskell.org/user/bobo8

Your message makes it seem like you only disabled one, so I just want to make sure it's clear that it's two accounts 😄

[gbaz]

The other account was disabled earlier.

[tfausak]

More:

• https://hackage.haskell.org/package/Mobile-Legends-Hack-Cheats-1.0.1
• https://hackage.haskell.org/package/Eight-Ball-Pool-Hack-Cheats-1.0.1

User: https://hackage.haskell.org/user/bob121

[gbaz]

ok we're going to do an emergency redeploy to turn off the add-to-uploaders-by-default for now. ugh.

[gbaz]

Redeploy done.

There aren't too many bad packages uploaded, but it would be good to black-hole them more thoroughly. In the meantime they can be marked deprecated and their spammy descriptions can be revised away.

Related tickets for erasing them more thoroughly from the UI:

haskell/hackage-server#201
haskell/hackage-server#382

[hvr]

I've made revisions to the packages exhibiting signs of unsolicited advertisement reported here.

[ocramz]

Thank you @hvr and @gbaz for responding promptly to this, however the spammy content is still available (in the Cabal file in fact).
They are also still visible in the index.
I know Hackage is supposed to be write-only, but wouldn't it be possible to intervene by hand and downright delete these packages?

[hvr]

@ocramz Yes we're intending to do so mid/long-term, but since this wasn't a concern in the past and the data model isn't optimised for this, we need to do a bit of preparatory work before we can handle this properly. We just did short-term the things we could do easily, and the rest will come later.

[gbaz]

Looking at the logs I noticed that we were still getting a lot of search traffic to the damn spam packages (I guess the keywords on them were high quality!) so I went and blasted them in the nginx conf with a 410 Gone.

[vdorr]

FYI some people may not get that "No access for this resource" means "After your account is created, you cannot upload until you contact the hackage admins" ;-)

[gbaz]

I'd be happy to take a PR for that. I think the message for the 403 is overridable.

[RyanGlScott]

They're back :\

• http://hackage.haskell.org/package/f-ree-hack-cheats-free-v-bucks-generator-0.2
• http://hackage.haskell.org/package/free-v-bucks-generator-no-survey-0.2
• http://hackage.haskell.org/package/free-v-bucks-generator-no-survey-0.3

[gbaz]

Thanks. I disabled that account :-/

[gbaz]

look at these revisions, yipe: http://hackage.haskell.org/package/f-ree-hack-cheats-free-v-bucks-generator-0.2/revisions/

[gbaz]

We should kline the spam packages in the nginx conf again too.

[gbaz]

these packages too http://hackage.haskell.org/user/demigod

[expipiplus1]

Who makes the decision (and how) on what to censor on Hackage? Is there documentation on that constitutes a "fraudulent" package? (not that I disagree with the examples in this thread)

[gbaz]

The hackage admins are the only people with the perms to do this. We only act in the case of obvious spam. For anything contested, the decision would have to revert to the haskell.org committee, but that situation has never occurred.